PDA

View Full Version : spyware not cleaned



robda
2005-12-22, 03:40
Spybot identified but could not clean four problems. I then ran HijackThis and saved the following log:

Logfile of HijackThis v1.99.1
Scan saved at 4:21:46 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Program Files\hijack this\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.ca/nwshp?hl=en&tab=wn&q=
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp90A1.tmp
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SpyAxe] D:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe (file missing)
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: V2i Protector - PowerQuest Corporation - D:\Program Files\PQDI 7\Agent\PQV2iSvc.exe


I do not know what to delete or how to proceed from here and hope someone can tell me!!

Many thanks,

Rob

pskelley
2005-12-22, 06:18
Hello and welcome to the forum. Please follow these direction.

Thanks to noahdfear and any others who helped with this fix.

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1)©noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm) on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)

Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp90A1.tmp
O4 - HKLM\..\Run: [SpyAxe] D:\Program Files\SpyAxe\spyaxe.exe /h
(the next 016 If you know it is safe you may leave it)
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel.exe (file missing)
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist. We may have more to do.

Thanks...pskelley
Safer Networking Forums

robda
2005-12-22, 21:01
Thank you, pskelley, for your detailed instructions. I have followed each step, but when I try to restart in Safe mode I get this message:

"A problem has been detected and windows has shut down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time... restart. If it appears again....

Technical information

*** STOP: 0X0000000A
(0XF8A96354, 0X000000FF, 0X00000001, 0X804E2E41)"

I restarted my computer to "Last known good configuration", then tried to restart again in Safe mode. I received the same error message, with one small change in the "Technical information":

*** STOP: 0X0000000A
(0XF8C16354, 0X000000FF, 0X00000001, 0X804E2E41)

--> 0XF8A96354 changed to 0XF8C16354.

What do you suggest I do now? I am stuck in what seems to be an unsafe mode! (and have not been using my computer for fear of further destruction or hijacking).

Thanks for your help!

Rob

pskelley
2005-12-22, 22:32
Hi Rob, Let me first say we use this fix all of the time and this does not happen. We will figure out why it is happening. Are you using another computer? First, be sure you give me the error messages exactly. When I search Google for this:
IRQL_NOT_LESS_OR_EQUAL I get a load of information. Let me share it with you so we can work on the issue together: http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-26,GGLD:en&q=IRQL%5FNOT%5FLESS%5FOR%5FEQUAL
I am reviewing that information now and it appears it may be that one of the drivers did not load. While I have not received this exact message, since I do much of my maintenance, etc. in safe mode, I have had situations where I had to reboot manually a couple of times to get back to normal mode.
The numbers you are giving me return notthing, please make sure anything you post is exact as you see it.

Here are some troubleshooting methods you can try. You should be able to start your computer in safe mode anytime you wish and return to normal mode easily.

Make sure you read about your Operating System:
http://www.computerhope.com/issues/chsafe.htm#05

Being "stuck" in safe mode generally indicates that one of the main system files (usually called DLLs) is damaged or missing, or that a piece of the computer's hardware is not operating properly. This latter condition could be caused by either a failure in the device or by a missing or improper device driver.
Let's try System File Checker, if a file is missing or corrupt, it will replace it for you. You may need your Windows CD so have it handy. Here are those instructions:
Click Start>Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things. You will need your XP disc in your CD drive for this.
Then try to restart to normal mode. Let me know if that helps.

http://www.techsupportforum.com/archive/index.php/t-18183.html
Try the solution by CTSNKY

Give these ideas a try, keep me posted as it may be a simple thing and once you are back in normal mode, if you followed the directions you should be clean of the Smitfraud trojan.

Thanks...Phil

pskelley
2005-12-27, 17:35
Hello Rob, I have not heard from you since 12/22. I realize this is a busy time of the year, but let me know how you are doing. Are your issues resolved.

Thanks...pskelley
Safer Networking Forums

tashi
2005-12-30, 18:31
robda.
Due to lack of a response to your volunteer helper this topic will be archived.